I'm reading this blog and it says:
If the /proc/self/environ file can be accessed through LFI, then in this case “RCE” can be achieved by requesting the file in combination with the payload written into the HTTP User-Agent field.
Then, it goes on to say:
GET lfi.php?file=../../../proc/self/environ HTTP/1.1 User-Agent: <?php phpinfo();?>
Now if an attacker sends the above http request to the web server then :
- First the data on User-Agent field will written on the /proc/self/environ file.
- Then the page request "lfi.php?file=../../../proc/self/environ" will include the content of /proc/self/environ file into the output page and our payload is get executed.
Now, I understand the first part of it that when we include /proc/self/environ
, a Linux based operating system fills the file with information related to the environment it was called from. In our case, it gets populated with the HTTP request as our environment happens to be a browser.
What I do not understand is why is the content of the HTTP request getting executed? Looking at it from a developer's standpoint, lfi.php
gets executed and there's a function in the file that reads the content of the file passed to it as a parameter. So, the content of the file /proc/self/environ
and by extension, the content of the HTTP request should be read and not executed. Can someone please explain what am I missing?